Analysis Date2014-06-01 14:20:44
MD53745095be9859492fc9975c66192310d
SHA1144eb12176a7459536a65d20a8bdf3eff9688f36

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1b1a4df6b05fb5c1975bf1c279ca3444 sha1: 936bf86d29ca92a3349eb22575bf178eed2d9393 size: 17408
Section.rdata md5: 34d713a4133c164d1561fa02d896af3d sha1: 791ab6ab72d79ecf08827a7fcd00c9498c7512cf size: 112640
Section.data md5: e27a44fbd355de41b99d332f209359a2 sha1: 68eef11cf33cb473ffa30bd068e871ae68890509 size: 3072
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.reloc md5: f8398fc9a0b895d4aeaab2679d01e226 sha1: c8fcc2f2e2a1d4cf067a92df104434097f36d234 size: 2560
Timestamp2014-04-21 08:03:04
PackerMicrosoft Visual C++ ?.?
PEhashc5ee1b32bde88f32ce8da1e38c8b7b4e1cdf73e6
IMPhash9f6fbf34abd659426cbc0dc8bc1dd107
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.PWS.Ibank.825
AVEset (nod32)Win32/Korplug.BY
AVFortinetW32/Korplug.BY!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Win32.ExplorerHijack.iuW@aqX3hLj
AVGrisoft (avg)Agent4.BVHX
AVIkarusTrojan.Agent4
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeRDN/Generic BackDoor!yj
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.H
AVMicroWorld (escan)Gen:Win32.ExplorerHijack.iuW@aqX3hLj
AVNormanwinpe/Troj_Generic.TZODY
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\DRM\RasTls\RasTls.exe
Creates ProcessC:\Documents and Settings\All Users\DRM\RasTls\RasTls.exe
Creates MutexGlobal\wvkvx

Process
↳ C:\Documents and Settings\All Users\DRM\RasTls\RasTls.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates Process
Creates MutexGlobal\gbunwodqgillmltcd
Creates MutexGlobal\wvkvx
Creates MutexGlobal\ommdvtuqnjwvdfajh
Creates MutexGlobal\ufiggmvpeeiwv
Creates MutexGlobal\yomxamirg
Creates MutexGlobal\ssmuagced
Creates MutexGlobal\wucme
Creates MutexGlobal\aadodbpkgqnaj
Creates MutexGlobal\mschu
Creates MutexGlobal\imbubnxhqpaew
Creates MutexGlobal\sobdl
Creates MutexGlobal\khuzkeoaogodbtwzx
Creates MutexGlobal\kdklk
Creates MutexGlobal\uimnyxkbx
Creates MutexGlobal\uebeqtnzxjapj
Creates MutexGlobal\khutgmgyc
Creates MutexGlobal\mwmjwuuwpuvcczsph
Creates MutexGlobal\sslavrbgy

Process
↳ Pid 0

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\DRM\RasTls\nprqyjadoqkp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\000000010000000000000100
Creates MutexMy_Name

Network Details:

Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53

Raw Pcap

Strings
.CC
 
.I
G
@
.
- abort() has been called
April
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
- CRT not initialized
dddd, MMMM dd, yyyy
December
DOMAIN error
February
- floating point support not loaded
Friday
                                 H
         (((((                  H
         h((((                  H
HH:mm:ss
January
July
June
KERNEL32.DLL
March
@Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
mscoree.dll
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
October
Program: 
<program name unknown>
- pure virtual function call
R6002
R6008
R6009
R6010
R6016
R6017
R6018
R6019
R6024
R6025
R6026
R6027
R6028
R6030
R6031
R6032
R6033
runtime error 
Runtime Error!
Saturday
September
SING error
Sunday
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
Thursday
TLOSS error
Tuesday
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Wednesday
WUSER32.DLL
                          
/%/,/@/?/
0(0.080A0L0Q0Z0d0o0
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0>1a1k1
:%:0:4:H:G:
0B0G0}0
0.;.?.J.
0JW|Jso
_1{^1@
1$1(1H1h1
1#151=1H1
1&1A1I1Q1h1
@ @+@1@,@B@
1h~n~+
<#<'<2<
 _22	$
2#2*20272=2E2L2Q2Y2b2n2s2x2~2
2*2U2a2l3
@#@'@2@;@B@F@
>2>D>r>
2gAh}|
2X3`3s3~3
3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
3)3/3A3k3t3
343:3R3v3
.38|6=
40:0d0j0p0
434;4F4
4(43474B4
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
4#4*4.454>4
4(4.4?4x4
4&4,4D4
4:4=4H4
4[4_4j4
=469qOgi
`4d4x4
:$:,:4:<:D:L:T:\:d:l:
4L4[4y4
4M4a4\4
4P4[4^4o4
4P4:7\7j7m7
4RAXAcAfAzA}A
4Z4f4v4
:):&:/:5:
5+53565K5
5-54585<5@5D5H5L5P5
5*5&525.5:5
5%5.53595C5L5W5c5h5x5}5
5!5%5-565
5"5%59545I5
5(5L5X5\5`5d5h5
5	6!6+6F6N6T6b6
585A5I5
^5d5{5
5`F7!?_
|5g)??
? ?&?/?5?>?J?P?X?^?j?p?}?
5M5X5W
:-5o;5z5
5R5V5]5p5{5
5w?3g_O
= =$=6=
6#61686?6f6#A2A6A=AP@
6(6,6;6
6(6'6C6
6 6:6I6Q6\6~A
667<7@7D7H7
6;6B6F6
686?6D6H6L6m6
6)A$A3A;A=AJA
^6d6$A2A
</<6<E<
6gs^*}u
6h6s6w6
@'@/@6@J
6N6a6e6p6u6|6
6P6_6g6r6u6
6P6O6]6u6
6P6T6h
6T6Z6_6k6r6|6
717.7A7E7
7%707/7A7>7G7
7+7&7I7
7.7A7E
7F7^7v8{8
$7gJ'	
7S7\7{7B6
7Y7]7h7>
7Z7^7e7
:$:8:7:
8)80848C8
8+8&8;8B8F8
8$8)898h8n8v8
8*8,8H8
=\8aTy
8d8x8w8<;
8O8V8j8q8z8}8
|||8uf
)8ufR_
;8'upr
.94-/?
9,;7;K;F;
9#8)80878H8
9*919:9=9
9$98979
.$99949
.'9-9;9@9K9
9&9:9A9
9$9/9C9>9
.*9-9A9<9
9-9A9<9
9\9y9=8Y
=.>9>C>\>f>y>
9L9W9k9f
9N9b9i9
9N9U9^9q9u9
9O9Z9f9y9}9
9P9T9c9
9::T:e:
9X9W9d9o9
9Y9`9g9
<-<A<<<
;&;:;A;
A0A/A<A
A+A7ABAGA
A'A@?A
A A+A/A:A
A%A.AAAE
A[AqAxA|
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ALA[AVA^A
ALAkA$@D@
ANAaAhAfAmAxA
AO=j=s=z=
AQAMAYAUAaA]AiAeAqA
A+]U;<.
August
AYA`AgA
=?(B||
B2BCBG
B_BeBpB
BdBsBnBvBJ=
;;;B;F;
BkBtB(=
BuBC=J=
C$BABEB
C'C;C6C
;c;j;n;u;%:,:@:?:
Ck>I~w
COCcC^C
CorExitProcess
CSCNCVC
=#=(=-=D=
/D~*?~
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
/`/d/x/w/
:+:::>:E:
EK?~qH~
E@ML?La
EncodePointer
EnterCriticalSection
E?~s?~
ExitProcess
||f%_<
F\=0k@
February
Fh=p%B
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
<f<l<w<
fN`NqNW
FreeEnvironmentStringsW
Friday
<g:|||
~g38||
g4x||f
g$}||8
g#_B8u
g?Bt||
gD{}|_
g}e'}|
GetACP
GetActiveWindow
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationW
ghR||8
g<.!Jw
|GK+7?
g~k~Y	
gmd|?|0
}||gnl
goO	BE
g?)p}|f
gPj.oI
g@u~?O>~
=\=g={=v=7<
gV[?:o
gX'_)~
gXv||^[
H?8|_E
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
'H%F~(
HH:mm:ss
=;=H=R=`=i=s=
I~07QI
/'/I/F/
IgfH~n<I~
I~K?~8
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
,/>Iuy
||?~~J{
_&J_0O
:_J^6>
J^7n}?
J_/Acg
January
Jc/8`gq
__)Jcg+
j@j ^V
|J{|Jw
|Jsf|}?||8
;!;(;,;;;K;
^K5]|!oQ0zs
K8u~^Jw
,kA5:*
Kernel32
KERNEL32.dll
k}||g<
k!}"Zp!-
=!=l= <+</<:<
=L=[=]=
LCMapStringW
LeaveCriticalSection
;L;`;_;g;n;t;
LoadLibraryA
LoadLibraryW
.L.`._.p.{.
@l@{@v@~C4CCC>CFC
LV="Ft
:L:W:k:f:|:
:L:Z:a:\:x:}:
:m:"535
MessageBoxW
/Mg$zo
ml||p[K
MM/dd/yy
Monday
/M/r/<9G9
:M:T:h:g:x:
MultiByteToWideChar
n%:~<?
N5r5x5
@N@a@e@p@
;N;a;e;p;x;
N(gh`^
ngWlh|>
November
O.!|?>@
o0tt] u(?o
)o?1wg
o2|8';~y
O4dM4y
|O+8|?]
:.:=:O:/;9;F;
;O;b;g;x;};
OBVB}B
October
/O/c/^/u/
oIg=fO
?*oouG
OrOxo/
<O<V<e<
#p1)<gK`S
PCZCFB
=,=>=P=i=
pry~gF
;];q;<:
<.<Q<d<k<s<
=Q=L=f=y=}=
QQSVWh
QueryPerformanceCounter
:q:x:w:
`.rdata
@.reloc
?r|N._
RtlUnwind
=R=U=h=~<
/R/V/g/
<.<@<R<x<
/R/Z/s/{/
=,=s=}=
Saturday
/S/`/d/s/
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
^SSSSS
Sunday
:S:W:b:%5,5@5?5S5Z5^5e5n5
#|~t~/)|
TerminateProcess
tg`u||
!This program cannot be run in DOS mode.
Thursday
.T.i.d.v
t	j\Yf
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
<T<_<s<n<
t"SS9] u
-tTC}|
Tuesday
;t$,v-
;U;b;i;
uK* $%
UnhandledExceptionFilter
@U@\@p@o@3C
	*]UqJ
UQPXY]Y[
URPQQh
!uZEhwrT 
@=@V@dC3B:B>BEB
^Vgg}#
VirtualAlloc
;[;V;s;z;~:
W8|gu>
Wednesday
~wg_	~E
wgq0>_
W'gUKi
WideCharToMultiByte
w[PkWI
WriteFile
_\X4p#
xgns||
=X>]>o>
x@v@bC
.Y.`.d.s.t.
Y;=h%B
Y}||Jw?
<Y<T<^<t<
=Z=a=j
z$pZ{q-)
@Z@V@b@^@j@f@r@n@7C